Node: crypto Decipher: setAuthTag() must be called before update()

OK reading the source I can see how and why this behaviour occurs, and I have found a workaround, maybe docs could mention it.

From master/src/node_crypto.cc

• function CipherBase::SetAuthTag does not actually set anything in the engine (it does not call EVP_CIPHER_CTX_ctrl)
• function CipherBase::Update is where the tag is actually set, the first time it is called after the key is set (it calls EVP_CIPHER_CTX_ctrl(... EVP_CTRL_AEAD_SET_TAG ...))

So the result is that:

• a call to (js) setAuthTag() after all calls to update() and before calling final() doesn't work, the tag is never actually set in OpenSSL
• multiple calls to setAuthTag() e.g. setAuthTag() then update() then setAuthTag() then final() doesn't work, only the first tag is actually set in OpenSSL, the second tag is ignored

The workaround I found is to set the authtag then make one final call to update() with empty data. That works.

My example above, modified with workaround so it works in both cases:

const authTagBeforeUpdate = false; // true works, false now also works

const crypto = require('crypto');
const cleartext = Buffer.from("abcdefghijklmnopqrstuvwxyz0123");
const key = Buffer.from("abcdefghijklmnopqrstuvwxyz012345");
const iv = Buffer.from("0123456789ab");
console.log('cleartext', cleartext);
console.log('key      ', key);
console.log('iv       ', iv);

const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
const ciphertext = Buffer.concat([cipher.update(cleartext), cipher.final()]);
const authTag = cipher.getAuthTag();
console.log('authTag  ', authTag);

const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv, { authTagLength: 16 });
if (authTagBeforeUpdate) {
    decipher.setAuthTag(authTag);
}
let result_update = decipher.update(ciphertext);
if (!authTagBeforeUpdate) {
    decipher.setAuthTag(authTag);

    // Workaround:
    decipher.update(Buffer.from([]));
}
let result_final = decipher.final();
let result_cleartext = Buffer.concat([result_update, result_final]);
console.log('result   ', result_cleartext);

/cc @nodejs/crypto

I just noticed that there is still an edge case where this doesn't work: If a user restricts the permitted length of GCM authentication tags to a single value while calling createDecipheriv via the authTagLength option and sets the authentication tag after calling update, verification will still fail. Working on it.

Fixed in #22828.

Is there any way to use a decipher stream, and set the authTag later? In other words, perform the integrity check after decipher is done.

It seems like one still needs to set the authTag _before_ calling .pipe(decipher), since the stream will automatically call decipher.final() when the stream's 'end' event fires.

@bencmbrook that is my original use case in this ticket as well, and yes you can.

You will need to use your own custom decipher stream, so you can set authTag before the stream finishes.
But -- you probably already need to have a custom stream, yes? In order to parse out authTag from the encrypted data?

In my case I use a Transform stream as a wrapper around the crypto stream, so my transform pre-parses the input before passing it on to the crypto decipher stream, and when it knows its found the authTag and has read all of it, it then calls decipher.setAuthTag() and then decipher.final().

Thanks @achronos0 - put some basic source code together for the next person :)
https://github.com/transcend-io/lazydecipheriv/